DEVHIDE
Login Or Sign up

CSRF implementation in a Spring + Wicket project

84 Views Asked by At

We have to implement csrf in a legacy application which uses spring and wicket for frontend framework. To implement csrf we have tried two approaches:

Approach 1: upgraded spring security to version 4 so that csrf is enabled by default and we have added the hidden field in all the wicket forms. But unfortunately we are getting 403 error after login:

This is html page:

<form wicket:id="Form" id="Form" method="post">
    <input type="hidden" wicket:name="${_csrf.parameterName}" wicket:value="${_csrf.token}"/>
    <span id="feedback" wicket:id="feedback"/>
    <h2 align="left">Test Text</h2>
    <table border="0" cellspacing="2" cellpadding="0" class="form">
        <tr>
            <td>
                <h4>Test</h4>
            </td>
            <td>
                <span class="required">*</span>
            </td>
            <td class="FieldName">
                <select wicket:id="Test"/>
            </td>
        </tr>
        <tr>
            <td colspan="3">&nbsp;</td>
        </tr>
    </table>
    <div class="buttonpannel">
        <div class="right">
            <input wicket:id="submit" type="submit" value=" OK " readonly="readonly" style="width:80px;"/>
        </div>
    </form>

Approach 2: We have also tried to generate the token like using java and followed this link. But the interceptor and the datavalue processor are not being called and we see no difference in the application after the implementation. This is our web.xml:

<security:http entry-point-ref="http403EntryPoint">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
    <security:custom-filter ref="preAuthFilter" position="PRE_AUTH_FILTER"/>
    <!-- security:access-denied-handler error-page="/error/403" /-->
</security:http>
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
<bean id="preAuthFilter" class="com.c.w.security.PreAuthFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="checkForPrincipalChanges" value="true"/>
</bean>
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <property name="preAuthenticatedUserDetailsService">
        <bean class="com.c.w.security.UserDetailsService"/>
    </property>
</bean>
<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref='preauthAuthProvider'/>
</security:authentication-manager>
<security:global-method-security secured-annotations="enabled"/>
<!-- Data Value Processor -->
<bean name="requestDataValueProcessor" class="com.c.w.csrf.CSRFRequestDataValueProcessor"/>
<!-- Interceptor handlers -->
<mvc:interceptors>
    <bean class="com.c.w.csrf.CSRFHandlerInterceptor"/>
</mvc:interceptors>

There is now way we are getting csrf to work in our application. We use wicket 1.5.10 version

spring-security csrf wicket csrf-token wicket-1.5
Original Q&A
0

There are 0 best solutions below

Related Questions in SPRING-SECURITY

Related Questions in CSRF

Related Questions in WICKET

Related Questions in CSRF-TOKEN

Related Questions in WICKET-1.5

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.